The Data Protection Commission (DPC) in Ireland has published guidance for organisations to follow in order to ensure their cloud-based environments are secure. The DPC recommends all organisations using any type of cloud-based environment:
- review their default security settings,
- create clear policies and properly train staff,
- understand and monitor the data that is stored in cloud-based environments, and
- implement strong authentication procedures.
In a statement, the DPC said that “Cloud-based environments offer many advantages to organisations; however, they also introduce a number of technical security risks which organisations should be aware of, including data breaches, hijacking of accounts, and unauthorised access to personal data”.
The new guidance acts as a useful resource for all organisations that use cloud-based environments. In this article, we take a look at some key points from the DPC’s guidance note.
Access Control and Authentication
For the DPC it is critical that all organisations implement strong password policies to ensure that users accessing personal data within cloud-based environments do so in a secure manner. In addition, all organisations should implement two-factor authentication.
Importantly, the DPC notes that all organisations should undertake regular reviews of their access control procedures. The reviews should ensure that the access controls in place are up-to-date and are effective in protecting your organisation in an evolving threat landscape. These reviews will reveal the adequacy and effectiveness of the procedures.
Proactively engage your ICT Provider
It is very often the case that organisations will engage with external companies to provide their cloud-based solutions. In such a scenario, the DPC advises that you should proactively engage and conduct regular security reviews to ensure that the protocols and procedures are still fit for purpose.
Documentation and Staff Training
The latest Verizon Data Breach Investigations Report indicates that human error is still one of the biggest reasons behind data breaches. This explains why the DPC makes it clear that all organisations need to conduct regular and appropriate training for their staff in addition to ensuring sufficient technology measures are in place.
In tandem with staff training is the need for clear policies and procedures. For example, organisations should have in place data retention and destruction procedures. These procedures need to be implemented across the organisation and verified through regular checks.
Know Your Data and Secure It
Through data discovery exercises and the development of a record of the processing activity, organisations should be in a position to understand and monitor the types of data they hold in a cloud-based environment. This is critical to securing the data that you process.
The main takeaway from the DPC’s guidance is the need to undertake regular and rigorous reviews of your cloud-based environment. These review exercises will allow all organisations to better identify and remedy any deficiencies that may exist.
For more information please contact our Data Governance team: